Import LDAP User Groups

As an Administrator, an efficient method of creating an LDAP user group is to import an LDAP user group from a remote LDAP server. To import a user group, you must use the built-in LDAP Browser, which gets launched during the import procedure.
capam33
As an Administrator, an efficient method of creating an LDAP user group is to import an LDAP user group from a remote LDAP server. To import a user group, you must use the built-in 
LDAP Browser
, which gets launched during the import procedure.
This topic explains the following tasks:
2
Launch the LDAP Browser
To import LDAP Groups into 
Privileged Access Manager
, follow these steps:
  1. Verify that your appliance is licensed on the
    Configuration
    Licensing
     page. A license is required to launch the LDAP Browser.
  2. Navigate to 
    Configuration
    3rd Party, LDAP,
     and configure access to an LDAP server. 
    Provisioning the LDAP server is necessary to make LDAP groups available for import.
  3. Select 
    Users
    Manage User Groups
    .
  4. Select 
    Import LDAP Groups
    .
    The LDAP Browser launches. You are prompted to select an LDAP domain.
    Privileged Access Manager
    does not support SSH and LDAP connections from a native browser due to strong cryptography support. Update your local JCE with unlimited strength policy jars that are based on your JRE version.
  5. Go to the next procedure to import the LDAP group.
If the LDAP server does not support the cipher suite that is used by the 
Privileged Access Manager
 LDAP browser, a connection failure occurs. The following error message appears: “Possible cipher mismatch with LDAP server.” During provisioning, ensure that the ciphers that are supported on the target LDAP server include those ciphers that are supported by the LDAP browser.
Import LDAP Groups
In the LDAP Browser, the 
Explore 
tab in the left pane shows a graphical representation of an LDAP tree. Select any object to see the object attributes. 
Follow these steps:
  1. Select the LDAP domain and select OK to connect to it. The browser connects and displays all records below that domain.
  2. Navigate the LDAP tree in the left pane and locate the device group that you want to import. Traverse the tree in any order or direction.
  3. To import a device group to import, select the checkbox next to the group.
  4. Repeat these steps for each group you want to import. 
  5. (Optional) Review the device groups that are selected for import:
    1. Select 
      PAM Groups
      Manage selected groups to register with the PAM appliance
      . The list of the Distinguished Names for all selected groups displays.
    2. Select and edit any group DN, or remove it from the staging list.
  6. Select 
    PAM Groups
    Register selected groups with the PAM appliance
    . A window opens displaying a list of the staged groups. You can watch the progress, and can display any messages that are associated with the actions.
  7. When ready to import the groups, select 
    Register Groups
     in the lower-left corner.
    Privileged Access Manager
     imports the groups in the order that they are listed. The browser provides feedback and cancellation options throughout the process.
    You can cancel registration of a group, or you can cancel the registration of all groups, even after they have started.
    When the imports are finished, each line item in the registration window shows a green checkmark for success or a red 
    X
     for import failure/cancellation. 
  8. (Optional) Review the status of the full list and each individual group by selecting its line item. If you made changes to an individual group or any errors occurred, the lower 
    Messages
     panel provides details.
  9. Go to
    Users
    Manage User Groups,
    and confirm that the imported user groups appear on the page.
    Roles are inherited from the LDAP group. The default role is Standard User. Ignore the 
    Roles
     panel, which indicates "
    No roles selected
    ."
    You cannot delete a record from an imported device group. Also, you cannot edit an LDAP-imported field.
Refresh LDAP Groups
You can refresh an LDAP Group to update the records in the group.
Follow these steps:
  1. In the UI, select 
    Users, Manage User Groups.
  2. Toward the right side of the page, select 
    Refresh LDAP Groups
    The LDAP Browser launches the Refresh Registered LDAP Groups window.
  3. Select one or more groups you want to refresh and select Refresh Selected Groups.
Refresh Active Directory User Groups After an OU Change
A change to organization unit (OU) of a user results in a change to the user DN. The modified DN can impact an access policy.
PAM
 handles an OU change when the Active Directory group is refreshed automatically. During a refresh, the appliance searches the remote Active Directory Server and updates its user record. Despite the OU change, the policy for that user is preserved.
To reflect an OU change immediately, you can manually refresh an Active Directory group in
PAM
. To keep the data in sync with Active Directory, refresh all the groups that now contain the user and all the groups from where the user moved.
Nested Groups
If an LDAP group is in a parent group 
member
 attribute, then users in the parent and child groups are imported with the parent. For example, consider groups CommunityA and CommunityB, and Person1. CommunityB is a member of CommunityA and it is nested in CommunityA. Person1 is the sole member of the group CommunityB. If you import the CommunityA group, you see every member of CommunityA and member Person 1 from CommunityB.
LDAP Browser Menus and Controls
The following table explains the LDAP Browser menus and controls options:
Text Menu
 
Function
Copy icon
Copy the Distinguished Name of selected entry to the Clipboard.
Group icon
Display all the groups in this container.
After first selecting an object in the tree under the Explore tab, clicking this button will then switch you to the Results tab. Once there, you see a (fully expanded) tree of all groups (objectClass: group) contained within the selected object.
File
Connect
Log in to an LDAP database. Invokes a pop-up window from which you can select from currently accessible domains.
Disconnect
Log out from the current LDAP domain.
Print
Print currently selected node.
Exit
Close browser window. The browser continues running while the connection is active. During that time, you can invoke the LDAP Browser by selecting Users, Manage Groups, Import LDAP Group.
View
Viewing options for graphical menu items below the main menu
Show Button Bar
Icon-based menu
Default: On
Show Search Bar
Icon-based menu
Default: On
Options
Set LDAP Connection Timeout
Maximum time (seconds) before a connection attempt is canceled. This timeout is useful when multiple servers are specified for a particular LDAP domain in
Configuration
,
3rd Party
.
Default: 60 seconds
Set Result Set Page Size
Maximum number of records in an LDAP directory before pagination is triggered for representation in the browser tree.
Number of records in each page of a paginated subtree.
Default: 1000
Bookmark
A bookmark can be made on any leaf in a tree. You can select the bookmark later directly from the menu. Bookmarks are saved for each domain, and appear only when the browser is connected to that domain.
Add Bookmark
Opens an editing window for bookmarking currently selected leaf:
  • DN – pre-populated with the current Distinguished Name (DN)
  • Bookmark Name – pre-populated with the current Common Name (CN)
Edit Bookmark
Opens a bookmark selection window. Selection in turn opens a bookmark editing window (see Add Bookmark).
Delete Bookmark
Opens a bookmark selection window. Selection in turn deletes and confirms deletion of the bookmark.
Search
Search Dialog
Opens a detailed search specification window. (Contrast to Quick Search.)
Delete Filter
Opens a window with a list of filters for selection and deletion.
Return Attribute Lists
Paged Results
Next Page of Results
Retrieve next page of results and display page wrapper (Page n Results) in the Explore tree (when green; otherwise, gray when inapplicable).
Tools
Stop Action
Suspends current LDAP request. Stopping a request is useful when the page size is large and the browser is searching a large database.
Privileged Access Manager
Groups
Privileged Access Manager
-specific menu items
Manage selected groups to register with the appliance.
Lists all items that are currently selected (or staged) for importing to
Privileged Access Manager
.
Register selected groups with the appliance
Perform the input operation on the items that are selected, which are listed in Manage selected groups to register with the appliance.
About Pagination
Pagination is available for Active Directory (AD) and OpenLDAP.
The LDAP Browser has a pagination feature to reduce overhead on LDAP access. The browser setting
Result Set Page Size
specifies the maximum number of members (directories, groups, or objects; or nodes) for any directory. (This value is initially set to a default of 1000.) If the overhead required to display all directory members is too heavy, the administrator can reduce this variable value.
For example, set this value to 5 to insert a pagination leaf for more than five members in any directory. The LDAP Browser inserts the initial pagination leaf is when that directory is opened, before displaying the actual directory contents.
Search and Quick Search Options
If you know the name of the directory or object you are looking for, use one of two search options available in LDAP Browser. If the tree appears paginated in the browser, the search can still traverse the entire tree.
You can use the
Quick Search
button in the upper-right corner of the browser to locate the desired object.
Follow these steps:
  1. In the
    Explore
    tab tree, select the node that you want to be at the top of the search.
    Your choice is reflected in the Quick Search label.
  2. To the right of the Search From label, select an attribute from the drop-down list, and enter a search string in the text box.
  3. Select 
    Quick Search
    .
    A filtered tree appears in the
    Results
    tab.
  4. Select an object in the tree to see
    Entry Attributes
    on the right.
LDAP Browser Search Options
To refine search results to a limited subset of objects or saved for future use, select menu item
Search
,
Search Dialog
.
The following table explains the search settings.
Field/Button
Definition
Filter Name
Assign a bookmark name for the filter: When you have filled in the remainder of this dialog, select Save in the lower right. The filter is then available from the Search menu.
Start Searching From
Identify the root node for your search.
Alias Options
Resolve aliases while searching
When checked: LDAP Browser returns the real entry to which the alias points. When unchecked: LDAP Browser returns all alias entries as regular entries.
Resolve aliases when finding base object
Search Level
Select Search Level
Search Base Object
Search Next Level
Search Full Subtree
Information to retrieve
Allows you to select from a saved list in Return Attributes Lists.
Filter Operators
Not
Negative of (entire) constructed entry
[Expression]
[Attribute]
Menu of all LDAP attributes: accountExpires through x500uniqueIdentifier
[Operator]
Logic to apply to the attribute in this expression
[Character string]
Text being tested with this expression
More
Add another logic template to concatenate with other defined logic
Less
Remove most recently defined logic
Save
Save entire filled-in template to the label assigned in a filter name
Load
Load existing filter to this template for editing or copying.
View
Show the LDAP filter
[Template Commands]
Search
Perform search as currently defined in this template.
Cancel
Close dialog without executing a search or saving it to a filter name
Double-Byte Characters for User and User Group Names
Privileged Access Manager
 provides double-byte character support. The appliance allows East Asian characters in data store and in the UI representation of user and user group names. LDAP user names are imported and displayed with the double-byte characters maintained.
User records with double-byte characters can be imported to LDAP groups but not to individual local user records.